In corporate networks, it is necessary to solve the problems of preventing information leaks, filtering unwanted content, detecting and neutralizing attacks. Filtering Internet traffic significantly increases the security of the local network, as it allows you to provide administrative control over Internet use, downloads and provides blocking of visits to potentially dangerous resources, as well as, when necessary, sites not related to work.
The solution to the filtering problem is complicated by the growth in the volume of SSL traffic, its share in the Russian segment for example of the Internet by the fall of 2020 approached 95% 1, and the introduction of TLS 1.3 support on many sites introduced additional requirements for the ability to decrypt secure traffic.
The modern solution to this problem is to use the Man-in-the-Middle (MitM) technology, where the firewall plays the role of the “man”.
In a simplified way, it happens like this:
- the gateway inspects the connection using the TLS 1.3 protocol from the client device to the website where the user’s request comes;
- after receiving a response from the website, the information is transmitted by the gateway to the client device also using a secure protocol, but already with a certificate issued by the security gateway.
Thanks to this scheme, the gateway has the ability to inspect traffic transmitted to the protected network segment from the outside, as well as traffic transmitted from the internal network to external addresses.
As a result, all encrypted SSL traffic, including TLS 1.3, is analyzed using the full set of filtering methods supported by the gateway, in the same mode as unencrypted.
“In order to analyze traffic, UserGate uses, among other things, signature analysis, scanning for viruses and identifying signs of attacks on infrastructure elements. All suspicious activities are logged. In addition, if necessary, traffic can be transmitted to third-party information protection tools, such as sandboxes. to detect certain types of threats already there.
Traffic filtering and logging is carried out in real time, with no visible delays for network users or attackers.
Filtering at the application level Classic firewalls process traffic from the first to the fourth layers of the OSI model, that is, from the physical layer to the transport layer, and, as a rule, operate only with the ip-address, source, destination ports and the type of transport protocol used in the connection.
Many applications now operate on protocols that use the open 443rd port of the firewall, and the classic firewall simply cannot filter or understand the application content of this traffic.
But the fact is that applications are now able to scan available ports and establish a connection to the outside using any open external port. Nothing prevents the malware from gaining access and transmitting data to the outside via the open 443rd port.
Next Generation Firewalls (NGFWs) already fully handle connections up to the seventh application layer of the OSI model, which allows you to analyze application traffic and data transmitted by applications.
“The application control function at the seventh level in UserGate is based on an updatable signature database. Now there are more than a thousand applications in the database, and this data can be used in configuring firewall rules, which allows solving problems, for example, limiting the bandwidth for video content from video hosting sites or on the contrary, configure traffic prioritization for video conferencing.
In this case, the gateway uses several filtering mechanisms:
- filtering by category;
- morphological analysis;
- safe search in black and white lists;
- blocking contextual advertising at the gateway level;
- prohibition of downloading certain types of files;
- technology of anti-virus traffic scanning based on Deep Content Inspection.
The suggested solution provides its own database of electronic resources for content filtering – more than 500 million website addresses and more than 70 categories. The developer carries out a daily update of the list of sites, re-checks the already entered resources for changes in content and relevance of information about categories.
Decrypting SSL traffic and working at the application layer of the OSI model allow the gateway to carry out a full morphological analysis of the content and recognize individual words and phrases in traffic coming from websites. If the text contains a sufficient number of vocabulary words and phrases to block, then the connection is defined as unsafe, and access to the site is blocked.
To filter content, morphological dictionaries are used, updated by the developer and containing lists of materials prohibited by the Ministry of Justice of the Russian Federation, as well as materials related to suicide, terrorism, pornography, obscene language, casinos, drugs, and information subject to Federal Law dated December 29. 2010 № 436-FZ “On the protection of children from information that is harmful to their health and development.” Dictionaries are available in Russian, English, German, Japanese and Arabic.
Additional filtering options
The administrator can set additional web security parameters for the HTTP and HTTPS protocols:
- blocking ads;
- the “inject script” function, which allows you to insert the necessary code into all web pages viewed by the user;
- forced inclusion of safe search for search engines Google, Yandex, Yahoo, Bing, Rambler, Ask and YouTube portal to block inappropriate content;
- enabling logging of user search queries;
- blocking applications of popular social networks.
Filtering TLS GOST
The development of this area does not stand still, and the issue of trust in certificates and in the resources that use them is still not fully resolved. At the moment, the debate on the topic “Do I need to decrypt TLS 1.3” has subsided, but the following question arose: what to do with TLS GOST? The implementation of the TLS protocol using GOST algorithms was invented so that foreign certification authorities would not be able to revoke the certificate of any resource, thereby disrupting its availability for visitors.
Currently, the organization of work of portals using GOST algorithms is complicated by another problem: well-known foreign browsers and operating systems do not want to accept certificates compatible with GOST, do not trust them and simply do not allow users to visit. For correct access to such resources, the user needs to have an appropriate browser (at the moment there are two such browsers on the market) or an import-substituted operating system.
There are two main problems in using TLS with support for GOST encryption algorithms:
1. Infrastructure problem
Not all devices are ready to use compatible certificates, especially mobile devices. In this case, UserGate allows you to accept a GOST-compliant certificate, decrypt traffic and send it inside the network with a clear internal corporate certificate. Thus, there is no need to use special browsers to access resources. Users do not have to migrate from their familiar products.
2. Security issue
Unfortunately, the presence of a certificate only guarantees that the portal really belongs to the organization that it represents. If the site was compromised, if certificates were stolen (such cases are also known), or if a malicious file is transmitted within a secure connection, then all this will be safely implemented, even despite the use of encryption using TLS GOST. At the same time, no solution is ready to disclose traffic with domestic encryption algorithms for detailed content analysis.
UserGate operates on a specially designed and supported operating system, as well as on specially designed hardware devices to ensure the highest efficiency and speed of traffic processing.
The developers paid a lot of attention to creating their own platform, not based on the use of someone else’s source code and third-party modules.
UserGate has received a number of awards specifically for the quality of Internet filtering and is widely used for this purpose in many organizations, universities and telecom operators.